/// <summary>
/// Validates the signature on the incoming token.
/// </summary>
/// <param name="simpleWebToken">The incoming <see cref="SimpleWebToken"/>.</param>
protected virtual void ValidateSignature(SwtSecurityToken simpleWebToken)
{
if (simpleWebToken == null)
{
throw new ArgumentNullException("simpleWebToken");
}
if (String.IsNullOrEmpty(simpleWebToken.SerializedToken) || String.IsNullOrEmpty(simpleWebToken.Signature))
{
throw new SecurityTokenValidationException("The token does not have a signature to verify");
}
string serializedToken = simpleWebToken.SerializedToken;
string unsignedToken = null;
// Find the last parameter. The signature must be last per SWT specification.
int lastSeparator = serializedToken.LastIndexOf(ParameterSeparator);
// Check whether the last parameter is an hmac.
if (lastSeparator > 0)
{
string lastParamStart = ParameterSeparator + SwtSecurityTokenConstants.Signature + "=";
string lastParam = serializedToken.Substring(lastSeparator);
// Strip the trailing hmac to obtain the original unsigned string for later hmac verification.
if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal))
{
unsignedToken = serializedToken.Substring(0, lastSeparator);
}
}
SwtSecurityTokenKeyIdentifierClause clause = new SwtSecurityTokenKeyIdentifierClause(simpleWebToken.Audience);
InMemorySymmetricSecurityKey securityKey = null;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause.");
}
string generatedSignature = GenerateSignature(unsignedToken, securityKey.GetSymmetricKey());
if (string.CompareOrdinal(HttpUtility.UrlDecode(generatedSignature), HttpUtility.UrlDecode(simpleWebToken.Signature)) != 0)
{
throw new SecurityTokenValidationException("The signature on the incoming token is invalid.");
}
}
/// <summary>
/// Validates the signature on the incoming token.
/// </summary>
/// <param name="simpleWebToken">The incoming <see cref="SimpleWebToken"/>.</param>
protected virtual void ValidateSignature(SwtSecurityToken simpleWebToken)
{
if (simpleWebToken == null)
{
throw new ArgumentNullException("simpleWebToken");
}
if (String.IsNullOrEmpty(simpleWebToken.SerializedToken) || String.IsNullOrEmpty(simpleWebToken.Signature))
{
throw new SecurityTokenValidationException("The token does not have a signature to verify");
}
string serializedToken = simpleWebToken.SerializedToken;
string unsignedToken = null;
// Find the last parameter. The signature must be last per SWT specification.
int lastSeparator = serializedToken.LastIndexOf(ParameterSeparator);
// Check whether the last parameter is an hmac.
if (lastSeparator > 0)
{
string lastParamStart = ParameterSeparator + SwtSecurityTokenConstants.Signature + "=";
string lastParam = serializedToken.Substring(lastSeparator);
// Strip the trailing hmac to obtain the original unsigned string for later hmac verification.
if (lastParam.StartsWith(lastParamStart, StringComparison.Ordinal))
{
unsignedToken = serializedToken.Substring(0, lastSeparator);
}
}
SwtSecurityTokenKeyIdentifierClause clause = new SwtSecurityTokenKeyIdentifierClause(simpleWebToken.Audience);
InMemorySymmetricSecurityKey securityKey = null;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause.");
}
string generatedSignature = GenerateSignature(unsignedToken, securityKey.GetSymmetricKey());
if (string.CompareOrdinal(HttpUtility.UrlDecode(generatedSignature), HttpUtility.UrlDecode(simpleWebToken.Signature)) != 0)
{
throw new SecurityTokenValidationException("The signature on the incoming token is invalid.");
}
}
/// <summary>
/// Serializes the given SecurityToken to the XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter into which the token is serialized.</param>
/// <param name="token">SecurityToken to be serialized.</param>
public override void WriteToken(XmlWriter writer, SecurityToken token)
{
SwtSecurityToken simpleWebToken = token as SwtSecurityToken;
if (simpleWebToken == null)
{
throw new SecurityTokenException("The given token is not of the expected type 'SimpleWebToken'.");
}
string signedToken = null;
if (String.IsNullOrEmpty(simpleWebToken.SerializedToken))
{
StringBuilder strBuilder = new StringBuilder();
bool skipDelimiter = true;
NameValueCollection tokenProperties = simpleWebToken.GetAllProperties();
// Remove the signature if present
if (String.IsNullOrEmpty(tokenProperties[SwtSecurityTokenConstants.Signature]))
{
tokenProperties.Remove(SwtSecurityTokenConstants.Signature);
}
foreach (string key in tokenProperties.Keys)
{
if (tokenProperties[key] != null)
{
if (!skipDelimiter)
{
strBuilder.Append(ParameterSeparator);
}
strBuilder.Append(String.Format(
CultureInfo.InvariantCulture,
"{0}={1}",
HttpUtility.UrlEncode(key),
HttpUtility.UrlEncode(tokenProperties[key])));
skipDelimiter = false;
}
}
string serializedToken = strBuilder.ToString();
SwtSecurityTokenKeyIdentifierClause clause = new SwtSecurityTokenKeyIdentifierClause(simpleWebToken.Audience);
InMemorySymmetricSecurityKey securityKey = null;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause.");
}
// append the signature
string signature = GenerateSignature(serializedToken, securityKey.GetSymmetricKey());
strBuilder.Append(String.Format(
CultureInfo.InvariantCulture,
"{0}{1}={2}",
ParameterSeparator,
HttpUtility.UrlEncode(SwtSecurityTokenConstants.Signature),
HttpUtility.UrlEncode(signature)));
signedToken = strBuilder.ToString();
}
else
{
// Reuse the stored serialized token if present
signedToken = simpleWebToken.SerializedToken;
}
string encodedToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(signedToken));
writer.WriteStartElement(BinarySecurityToken);
writer.WriteAttributeString("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", token.Id);
writer.WriteAttributeString(ValueType, SwtSecurityTokenConstants.ValueTypeUri);
writer.WriteAttributeString(EncodingType, Base64EncodingType);
writer.WriteString(encodedToken);
writer.WriteEndElement();
}
/// <summary>
/// Serializes the given SecurityToken to the XmlWriter.
/// </summary>
/// <param name="writer">XmlWriter into which the token is serialized.</param>
/// <param name="token">SecurityToken to be serialized.</param>
public override void WriteToken(XmlWriter writer, SecurityToken token)
{
SwtSecurityToken simpleWebToken = token as SwtSecurityToken;
if (simpleWebToken == null)
{
throw new SecurityTokenException("The given token is not of the expected type 'SimpleWebToken'.");
}
string signedToken = null;
if (String.IsNullOrEmpty(simpleWebToken.SerializedToken))
{
StringBuilder strBuilder = new StringBuilder();
bool skipDelimiter = true;
NameValueCollection tokenProperties = simpleWebToken.GetAllProperties();
// Remove the signature if present
if (String.IsNullOrEmpty(tokenProperties[SwtSecurityTokenConstants.Signature]))
{
tokenProperties.Remove(SwtSecurityTokenConstants.Signature);
}
foreach (string key in tokenProperties.Keys)
{
if (tokenProperties[key] != null)
{
if (!skipDelimiter)
{
strBuilder.Append(ParameterSeparator);
}
strBuilder.Append(String.Format(
CultureInfo.InvariantCulture,
"{0}={1}",
HttpUtility.UrlEncode(key),
HttpUtility.UrlEncode(tokenProperties[key])));
skipDelimiter = false;
}
}
string serializedToken = strBuilder.ToString();
SwtSecurityTokenKeyIdentifierClause clause = new SwtSecurityTokenKeyIdentifierClause(simpleWebToken.Audience);
InMemorySymmetricSecurityKey securityKey = null;
try
{
securityKey = (InMemorySymmetricSecurityKey)this.Configuration.IssuerTokenResolver.ResolveSecurityKey(clause);
}
catch (InvalidOperationException)
{
throw new SecurityTokenValidationException("A Symmetric key was not found for the given key identifier clause.");
}
// append the signature
string signature = GenerateSignature(serializedToken, securityKey.GetSymmetricKey());
strBuilder.Append(String.Format(
CultureInfo.InvariantCulture,
"{0}{1}={2}",
ParameterSeparator,
HttpUtility.UrlEncode(SwtSecurityTokenConstants.Signature),
HttpUtility.UrlEncode(signature)));
signedToken = strBuilder.ToString();
}
else
{
// Reuse the stored serialized token if present
signedToken = simpleWebToken.SerializedToken;
}
string encodedToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(signedToken));
writer.WriteStartElement(BinarySecurityToken);
writer.WriteAttributeString("Id", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", token.Id);
writer.WriteAttributeString(ValueType, SwtSecurityTokenConstants.ValueTypeUri);
writer.WriteAttributeString(EncodingType, Base64EncodingType);
writer.WriteString(encodedToken);
writer.WriteEndElement();
}
